It's also worth noting this is a case where your private information can be exposed by others. E.g. I often give guests the wifi password. Some of them use Android. I would expect them not to share the password. But I didn't know they were storing it unencrypted in the cloud.

I've given the gov't and the administration the benefit of the doubt so far on the NSA surveillance activities. It's dirty, but we were all screaming for a paramilitary security state after 9/11 like a bunch of reactionary idiots, so I think we have only ourselves to blame for the Patriot Act.

Having said that, if we find out that the gov't is snooping people's passwords from Android, I will turn in my Obama card.

It seems odd to blame the NSA for something they might do while ignoring Google's shortsightedness for storing plain text passwords in a cloud environment. Storing any confidential information in plain text is plain stupid.

Lee suggested that an easy fix to this privacy hole would be to encrypt the content of backups with a user’s Google credentials or a separate sync password.

Wait, encrypting with the user's google credentials makes no sense if you want to protect against the NSA, as you enter those credentials (aka send them to google) every time you log into google.

Encrypting with a separate sync password makes sense (that's what I do in Chrome), but it should be acknowledged that there will be a relatively high error rate when people lose or break their phone and have to get a new one, but then forget their sync password and lose everything.

If you’re using Google’s “back up my data” feature for Android, the passwords to the Wi-Fi networks you access from your smartphone or tablet are available in plaintext to anyone with access to the data.

As I read it, this is sounds a bit off. Micah says the passwords are backed up/restored in clear text from google from the phone. This does not mean the data is stored unencrypted on Google's servers, but probably is. Problem is, who exactly has access to this data? You only get this data when you back up or restore. Once you have a back up I doubt the phone is constantly sending this data all the time.

I'm sure a Wifi password isn't going to protect you from the NSA/Government Agency/Hacker/AnyoneWithABeefAgainstYou if they happen to park their truck across the street to snoop on you.

Awww let them print their WIFI password stories without criticizing. It's keeping an important issue in the news. Not like it is constantly in our faces at the mainstream level, but maybe if it stays on ARS and techdirt and popehat and all the others 24/7 for the next year, we might get 3 normal folks to say "We are being spied upon? This is outrageous!"

Having access to my WiFi password will give the NSA free Internet, provided they ever are in my neighborhood, and not much more.

It's okay with me.

I'm less worried about giving the NSA "free internet" and more worried what happens when some enterprising hacker cracks Google's servers and has a field day with the wealth of unencrypted information on there. Gaining access to encrypted WiFi networks on a mass scale would provide a treasure trove for such individuals and/or groups.

I would be more inclined to trust Google adequately securing the information if I didn't know they were storing passwords in plain text files. For all the crap we give MS for being a poorly managed company, Google seems to make an awful lot of half assed security decisions for such a massively profitable company. Especially one built entirely on information.

While there are valid concerns about how Google is backing up Android data, much of which I wouldn't other parties to access, I could not care less if they had my Wi-Fi password. By the time they would use such information, I would be facing much larger problems. (Using such data would be expensive, which means that I would have to be a person of interest to them already, which means that they have probably violated my privacy in other ways already.)

I think I'll file "NSA" under "Bogeymen of Propagandists", right above "Terrorist".

It seems odd to blame the NSA for something they might do while ignoring Google's shortsightedness for storing plain text passwords in a cloud environment. Storing any confidential information in plain text is plain stupid.

That's because its typical fear mongering projection onto whatever or whoever happens to be the big bad boogey man at the moment for the sake of trying to remain relevant in some way. If the present big bad boogey man happened to be google it would be "EFF technologist says "back up my data" exposes users' data to google." or similar.

I've given the gov't and the administration the benefit of the doubt so far on the NSA surveillance activities. It's dirty, but we were all screaming for a paramilitary security state after 9/11 like a bunch of reactionary idiots, so I think we have only ourselves to blame for the Patriot Act.

Having said that, if we find out that the gov't is snooping people's passwords from Android, I will turn in my Obama card.

NO! Actually many of us where NOT and STILL question the govt reports of the 911 activity and the whole invade the wrong muslim country baloney since 911. Get you facts straight and speak for yourself. You onion head brain-washed militia clowns need to step up to the line and help stop what you've unleashed, not play dumb and look the other way!

The Chinese hackers who breached Google's corporate servers 41 months ago gained access to a database containing classified information about suspected spies, agents, and terrorists under surveillance by the US government, according to a published report.http://arstechnica.com/security/2013/05 ... fied-data/

I am really believing that google, facebook and the rest of these social networks have been invaded by groups like the NSA from the day they went public! Just like the IRS does, they plant a soldier or desk within the company and become the major staff!

Sometimes I think that people who fear the Government have quite the wrong apprehension.

True. But Google can't throw people in jail if they find personal data they don't like.

How on earth would you know? Heck, most people don't even know the NSA is under the Pentagon.. and the Pentagon has a black fund in the billions... which cover alot more than the NSA, CIA, FBI, etc. They aren't there to whistle Dixie!

NO! Actually many of us where NOT and STILL question the govt reports of the 911 activity and the whole invade the wrong muslim country baloney since 911. Get you facts straight and speak for yourself. You onion head brain-washed militia clowns need to step up to the line and help stop what you've unleashed, not play dumb and look the other way!

Wait, the 'militia' clowns, who are anti-anything to do with the government generally, are responsible for the government choosing to increase its broad powers in an even broader way?

Um, did anyone actually click on that Backup Manager link? It has nothing to do with a Google service - it links to a shady Hong Kong based (and apparently, pretty awful with a 3.6 rating) third-party backup manager in the Play store.

Sometimes I think that people who fear the Government have quite the wrong apprehension.

It's not an either/or thing. Anything Google (or any other big company) stores on you, a misbehaving government can trivially access. The only way to avoid this is to not allow 3rd parties to construct databases about you to begin with.

I personally am not that concerned with Google, Facebook, or the NSA accessing my data. But anyone who thinks that Google or Facebook will "protect" their data if the government decides it wants access to it is delusional.

If Google really was all about the spirit of "openness" that it tries to market Android as being in favour of, then they really need to integrate a standard cloud API which would allow you to use a cloud service of your choice (such as your OWN server) for things such as this rather than restricting you to use of Google's proprietary cloud services.

Does anyone think that the NSA couldn't figure out your wifi password if they wanted it?

Doesn't make it right, but that doesn't seem to matter anymore

Yes, actually I think they would have a pretty hard time figuring out my 63-character, randomly generated wi-fi password. I also don't think they'd bother - if they're in wi-fi range of my house, they'd just go the extra step to break in and steal the data more directly, plant a keylogger, or whatever. I live in a small neighborhood where that black SUV would get more notice than someone who artfully picked my ancient locks and walked in the door while I was away.